Secure services

ABSTRACT

An identification code is assigned to a user by making a selection from a closed set of possible tokens. The selection is determined algorithmically by user identity data. The format of the identification code may comprise a sequence of natural language words chosen from closed sets and a separator character having a fixed value or a small range of possible values. The closed sets may be programmed in the recognition grammar of a speech interface to secure services such as banking.

[0001] The present invention relates to secure services suitable for the use, for example, over a communications network. In particular, it concerns identification codes for users of such services.

[0002] Related inventions are described and claimed in our copending application EP00302045.0.

[0003] Increasingly, face-to-face transactions between customers and service providers are being a replaced by transactions carried out remotely over a communications network. This provides ease of access for the customer, and reduced costs for the service operator. For example, in the case of banking services, there has been to a rapid rise in Internet banking and in a telephone banking operations. Internet banking in particular, offers the possibility of large cost savings, since customer transactions can be fully automated. Currently, telephone banking is implemented using human operators and a call centre. It would be desirable to automate telephone banking using interactive voice response (IVR) technology. One potential barrier to doing so, is the need for secure identification of customers. Conventionally, for Internet banking using a text interface, the customer identifies themselves using an account number and PIN. However, using speech recognition systems, recognition accuracy for long strings of numbers is relatively poor. Accordingly, an alternative form of identification is required.

[0004] According to the present invention, there is provided a method of assigning an identification code from a finite grammar defining all possible identification codes, the method comprising the steps:

[0005] a) selecting a word from each of a plurality of predetermined sets of words according to identification data relating to a user;

[0006] b) concatenating said words to form a sequence for use as the identification code; and

[0007] c) storing a record of the sequence and of the identity of the user associated with said identification code.

[0008] The present inventors have devised an identification code format that both optimises accuracy of recognition and also offers enhanced memorability and ease of use for the customer. This is achieved by using natural language words chosen from predefined and limited sets, in a predetermined order, for example first word, separator, second word. The word sets may then be programmed into the recognition vocabulary of a speech recognition system, and the format programmed into the recognition grammar, to enable the highest levels of recognition accuracy. The method of the invention maps a potentially unbounded set of users to addresses formed from closed sets of tokens in a way which is systematically determined by the users identifying data, and which is as a result memorable for the user.

[0009] Preferably the selecting step a) comprises sub steps of

[0010] d) receiving from a user, identification data comprising a number of attributes, each attribute corresponding to one of said predetermined sets;

[0011] e) selecting for each user attribute, a word from the associated predetermined set which is related to the supplied user attribute.

[0012] For example, the selecting sub step e) may comprise selecting a word which is equal to the supplied user attribute if the supplied user attribute is a member of the associated predetermined set, otherwise selecting a word from the associated predetermined set which is related to the spelling of the supplied user attribute.

[0013] Preferably the finite grammar includes a phrase associated with one of said predetermined sets of words and in which the phrase distinguishes between homonyms in said one set of predetermined words. The phrase may be in the form of a number. The use of a short number of a few digits in conjunction with one of the natural language words allows several users to have a the same word from the set of words and adds to the phonetic distinctiveness of the whole phrase.

[0014] This preferred feature of the invention gives a further significant advantages by allowing the voice recognition interface to handle words which have shared pronunciation but different spelling (homophones) or different spellings but common pronunciation (homographs). This novel feature is not limited to use with the identification code format of the first aspect, but may also advantageously be used for disambiguation of members of a pre-defined vocabulary set in other contexts.

[0015] Preferably at least one of the predetermined sets of words comprises a set of personal names. In this case, preferably the number is associated with the element selected from the set of personal names.

[0016] It is found that the ease with which the identification code can be selected, and the memorability of the identification code are enhanced if part of the code is the name or the nickname of the user.

[0017] Systems embodying the present invention will now be described in a further detail, by way of example only, with reference to the accompanying drawings, in which:

[0018]FIG. 1 is a diagram showing schematically a communications system suitable for use so with the present invention;

[0019]FIG. 2 is an overview of an application architecture;

[0020]FIG. 3 is a diagram showing an example of an address format;

[0021]FIG. 4 shows the recognition search space for the format of FIG. 3;

[0022]FIG. 5 shows an address being allocated to a user;

[0023]FIG. 6 shows mappings between spoken and textual forms of homophones and homographs;

[0024]FIG. 7 shows the format of a multi-bit disambiguation number;

[0025]FIG. 8 shows a first implementation of interfaces between different channels and an application;

[0026]FIG. 9 shows an alternative implementation of interfaces between different channels and the application;

[0027]FIG. 10 shows a speech recognition system for use with in methods embodying the invention;

[0028]FIG. 11 shows an address-assigning algorithm.

[0029] An applications server 1 is connected to the public Internet 2. In this example, the applications server runs a banking application. Both voice and text interfaces are provided to the banking application. A customer using the text interface, connects with the application server from a customer terminal 3, which, in this example, is a personal computer having an Internet connection. At other times, the customer uses a voice interface. In this case, the customer terminal is a telephone 4, 5 connected to a telephony network 6. Customers accessing the device interface are connected via the telephony networks 6 to an IVR platform 7. The platform 7 includes both a number of telephony ports 71 and also a TCP/IP (Transport control Protocol/Internet Protocol) data interface 72. The data interface 72 is connected to the application server 1. This connection may be via the public Internet 2, as shown in the figure. A secure sockets layer (SSL) connection is used to provide cryptographic security for the data. Alternatively, to provide enhanced security, a private intranet may be used, or a direct one-to-one link in the case of an IVR platform co-located with the application server.

[0030] Suitable IVR platforms are available commercially from Periphonics™. Speech recognition software for use on such a platform is available commercially from Nuance™. It will be understood that these products are identified by way of example only, and a number of alternative systems may be substituted including, for example, systems running on Windows NT T™ workstations.

[0031]FIG. 10 shows schematically the architecture of the voice recognition system running on the IVR platform 7. The input is a digitised audio signal representing the user's speech. This is processed first by a feature extraction front end 101 before passing to a parser comprising an acoustic matcher 102 and a network parser 103. The acoustic matcher uses speech models 104 to identify elements of the speech signal. The network parser then uses a recognition network 105 embodying a preprogrammed recognition grammar to identify the words spoken by the user. In systems embodying the invention, the recognition grammar includes defined sets of natural language words, numbers and a separator character, as further described below.

[0032] In the present example, the applications running on the server 1 are implemented using a system known as BroadVision that is designed to give users access to account data via multiple channels including the world wide web. At the application level, a common interface is used for the different channels. FIG. 2 shows an overview of a BroadVision banking application. Both the IVR platform and the customer terminal 3 interact with the application via respective HTTP clients. These are termed generically “browsers”, although the IVR platform client is not a conventional graphical/textual web browser. The IVR client does not require HTML information, but only minimal textual information. The communications between the HTTP server and the IVR client are a subset of the data passed between a conventional web browser and the server.

[0033] References in this document to textual interfaces encompass graphical interfaces such as that provided by a conventional web browser, and are not limited to purely textual interfaces.

[0034] One important function of the BroadVision application is the verification of the identity of a customer prior to giving the customer access to account data. To facilitate this function, each user is assigned an identification code in a format termed the Vbank (virtual bank) address format. An example of this format is shown in FIG. 3. The first element 31 is a name selected from a list of e.g. 1000 possible personal names. A two or three digit number 32 is associated with the first element. The use of the number allows multiple users to have the same name as the first element and adds to the phonetic distinctiveness of the whole address. The next element is a separator element 33. In this case, this is the @ sign, pronounced “at”. This is familiar to users from its use in email addresses, and has the advantages that its pronunciation is well known, although if need be, instructions on pronunciation may be communicated to the user, for example on the web page where the Vbank address is first issued. The final element relates to the location of the user and is a geographical name, e.g. a town name, chosen from a list of 500 such names. The geographical names are selected for their phonetic dissimilarity and popularity. For example, London is not included as it would be selected by too many users. Instead a number of London boroughs, e.g. Hammersmith, Croydon are included. This geographical element servers in use to aid phonetic separation of the user names. Other fields may be substituted where appropriate. For example, a set of postcodes, either complete postcodes or the first part of postcodes, e.g. IP3 and NG14, might be used.

[0035] In this example, the format allows for 1000×999×500, i.e. 499500000 combinations. FIG. 4 shows the recognition search space in the case of the Vbank format described above when, in use, a customer speaks their assigned address to the IVR interface. This is the search space considered by a voice recogniser on the IVR when choosing the most likely result for the utterance being processed. The narrower the search space, the higher the recognition accuracy. The more unconstrained a phrase, the wider the search space is.

[0036] The Vbank format, using defined sets of phonetically distinct names, offers optimal recognition accuracy via the IVR interface, while also being suitable for use via other channels as a text string. The set of names in the defined, closed sets may be chosen to minimize the confusability of the names using a method such as that disclosed in “Predictive Assessment for Speaker Independent Isolated Word Recognisers” Alison Simons, ESCA EUROSPEECH 95 Madrid 1995 pp 1465-1467. Some homophones or near homophones identified using a method such as that described in the Simons paper may nonetheless be included, and then a number is used for disambiguation as further described below.

[0037]FIG. 5 illustrates a preferred approach to assigning an address to an individual customer. A Web interface is used, for example, via the customer terminal. The customer is invited to enter their name and the postcode of their location. In this example, the user name has two parts, a first name, and a surname. These are typed by the user in the relevant query boxes on the Web page. Alternatively, one or more of the elements of the address may be selected by the user from a pull-down list of names displayed on the web page. A script running on the HTTP server then compares the names with the predefined set of 1000 user names. In this particular example, two sets are used, one set contains common first names and the other contains common surnames. In the example illustrated, the name typed by the user is David Wells. In this case, the first name, David, is included in the set of user names and accordingly is used in constructing the VBank address. The second name, Wells, is not present in the set of surnames. In the case of a name falling out side of the predefined set us of user surnames, the address allocation programme uses instead of the name, the corresponding initial as represented in the NATO phonetic alphabet. In this example, the initial is W and the corresponding part of the address uses “whisky”. A two digit number, 13 is added to the names for distinctiveness. The address allocation programme takes the postcode, in this example IP2 and looks up a corresponding place name, “Chantry”. This is concatenated with the names and the separator character “@” to give the complete user address: David.Whisky13@Chantry.

[0038] To enhance the distinctiveness of user names for users having, e.g., a surname not included in the predefined set, the initial and two following letters of the surname may be represented using the NATO phonetic alphabet. In the example above, the address would then be David. Whisky Echo Lima@Chantry.

[0039]FIG. 11 shows schematically an address allocation algorithm. The algorithm takes as its input identity information (“ID info”) supplied by the user, for example the user's name and geographical location. A first module 111 of the algorithm compares the ID info with that received from previously enrolled users and stored, with allocated Vbank addresses, in table 112. The output of the module is a parameter N that corresponds to the number of users having matching ID info. For example, if the ID is the first name David and 10 other users have previously input the name David, then the parameter N=10 is returned. The parameter N and ID info are then input to the main address allocation algorithm 113. This maps the user ID info transparently to a Vbank address. By a “transparent” mapping is meant a mapping such that the relationship between the user ID info and the Vbank address is apparent to the end user. This property of transparency means that the Vbank address has generally the same memorability as the user ID info itself, since the user ID info functions as mnemonic for the Vbank address. An example of a mapping algorithm may be as follows:

[0040] IF input is in closed word set then set Vbank element=input

[0041] ELSE take initial of input and set Vbank element=NATO phonetic alphabet (input initial)

[0042] AND append N to Vbank element.

[0043] This is the type of algorithm used in the examples above. . The closed word sets associated with the main algorithm 113 include details of associated pronunciations to allow mapping of different phoneme sequences, e.g. for alternative pronunciations of “smyth”, as further described below.

[0044] The output of the algorithm is a unique text sequence. Several equivalent phoneme sequences may map to the unique text sequence, allowing for different pronunciations of the Vbank address by the user. The speech recognition grammar may then comprise a representation of the closed sets of all possible phoneme sequences that may be generated by the algorithm along with their associated textual equivalents.

[0045] The two digit number associated with one of the names is used to resolve ambiguity in the relationship between spoken and textual forms of the user names in the case homophones (shared pronunciation, common spelling) and homographs (common spelling, plural valid pronunciations) The term homonym is used in this description to refer to homophones or homographs. This allows the Vbank address to include the correct spelling of the user's name. An example is illustrated in FIG. 6.

[0046] In the figure three surnames are shown which share the pronunciations S M I F and S M IE TH in a way which may be described by a many-to-many mapping. For example, a user named Smithe may enrol on the text based web interface and be given the username smithe1@ipswich using the VBank format. It is assumed that this user will wish to retain the correct spelling of their surname and would therefore not be content with the label smith1@bank. This would be the case particularly if the user always uses the pronunciation S M IE TH for their name which is never used for the surname Smith. A potential difficulty now occurs when the user uses the IVR interface to access their account. Let us assume that the user always speaks their surname as ‘S M I F’. The user may then phone the IVR and speak their username as “SM I F-W O N-AA T-I P S W I CH”. Using the mapping shown in FIG. 6, this could be one of the following usernames:

[0047] smith1@ipswich

[0048] smyth1@ipswich

[0049] How is the machine to know which username to use in the enrolment? There are three options:

[0050] 1. Do not allow any surnames which have homophonic or homographic forms into the scheme. These could all be dealt with alternative formats such as the NATO phonetic alphabet. The problem with this approach is that 30% of written surnames share a pronunciation with another spelt surname. This would create a large number of exclusions.

[0051] 2. Send both as alternatives and let the banking engine decide which one is valid. This would increase the complexity of the enrolment process and would require changes to the interface with the banking engine.

[0052] 3. A third and preferred option is to embed information into the numeric part of the username to maintain specific spelling alternatives.

[0053] Option 3 is described further below. Consider the following portion of a speech recognition grammar. “S M I F-W O N” = smith1 “S M I F-T OO” = smyth2 “S M IE T H-T OO” = smyth2 “S M IE TH-W O N” = smythe1

[0054] It has listed valid combinations of pronunciations and numbers and assigned textual labels to these combinations. The numbers correspond to the numbers shown on the arcs shown in the Figure above.

[0055] Now the pronounced forms of the combined name and number exactly identify a single written form, and if the text is assigned according to carefully derived rules users will never get the wrong spelling for their surname. By assigning all arcs from a given text form to the same number then the user may even vary the pronunciation of their name within all valid pronunciations and get the correct single text form.

[0056] In the examples so far described, a disambiguating number is used for one only of the address elements, and is placed following the element in question. This is the preferred format, but other arrangements are possible in which the number is at another position in the speech recognition grammar. Most current speech recognisers use finite state grammars with semantic tags attached to certain points in the grammar to enable a meaning to be attached to a lexical token or group of tokens. This approach was assumed by the above example which allowed the tag ‘smith1’ for example to be attached to the sequence “S M I F-W O N”. If it is necessary to link the occurrence of a certain tuple of non-adjacent lexical tokens (e.g. S M I F and W O N) to a single meaning then it becomes more difficult. For example, consider a Vbank address of the format

[0057] Firstname.surname 2-or-3-digit-number@ location.

[0058] In this example, the firstname, surname and town may all have homographs and homophones. If we were to adopt the number based approach described above for the firstname and surname, for example, then the number will have to be shared for three functions:

[0059] Coding correct text for surname

[0060] Coding correct text for firstname

[0061] Allowing disambiguation for multiple people with same name.

[0062] We could consider representing the number as decimal but taking a binary bit based approach to using this number space. For example the first two bits could select the correct firstname text, the second two could be for the surname and the final 4 could be used for disambiguation of multiple entries. This is illustrated in FIG. 7.

[0063] If we now code the actual surname and firstname text options into the grammar as tags on the pronunciations then the actual text can be selected by simple processing outside of the speech recogniser. For example, consider the following semantic labels for surnames and firstnames: “S M I F” = “smith,smyth” “S M IE TH” = “-,smyth,smythe” “C L EI R” = “clare,clair,claire”

[0064] Let us consider allocating a username to the first “claire smyth” from ipswich in the system. Assume that the options are labelled from the left starting with index 0. The firstname is the third text option for the only pronunciation for the clair group—“C L EI R”, this it has index 2. The surname is the second option of BOTH pronunciations of the smith group of names, thus it has index 1. If we assume that the disambiguation part of the number range will be set to zero on this occasion, then the number should be 2+1*4=6. Hence:

[0065] “claire smyth”=>claire.smyth6@ipswich

[0066] The examples so far described do not provide for disambiguation of homograph and homophone confusions in the town name. This could potentially be allocated another bit in the disambiguation field. Where this is not done, then acoustically confusable towns are not included in the set of possible towns. Towns with exactly the same name may be treated as the same town for username purposes—homophones however need to be treated more carefully. A possible strategy in this instance if two common town names are homophones is to use an alternative location name, e.g. the county name, for the smaller of the two towns. Alternatively, the phonetic alphabet may be used to substitute for the “disallowed” name, as in the case of names falling outside the predefined set.

[0067] As described in outline above, the BroadVision application in this example uses a number of access channels, including both web and IVR channels, via a common API (application programming interface). The implementation of the interfaces is shown in further detail in FIG. 8. The BroadVision API is implemented using Perl scripts and an HTTP interface for both IVR and web channels. Server CGI scripts return HTML text and are replaced, in the case of the IVR interface, by custom scripts that return only the data required for the IVR interface, without the HTML wrapper text. Most of the functionality implemented in the Java scripts for the web channel is necessary for the IVR channel except the HTML formatting which is passed to the web browser. Hence the IVR channel uses derived scripts but the messages that it passes back to the IVR contain the minimum information necessary. The messages each channel passes to the Java scripts are the same and are of standard URL query variable type. Messages to BV application Messages from BV application Channel JScripts Jscripts Web client URL queries formulated by A new HTML page containing client side HTML. Each results of previous query and query asks for a banking facility for new queries. HTML function and passes the is generated by a Java script appropriate arguments. which can also handle the new queries. IVR client URL queries formulated by Java script sends query result client side PerI scripts. information only. The PerI scripts know the query formats and URLs of other Java scripts if they require more functions.

[0068] Input parameters are passed from the Perl code to the Perl scripts via a Perl system block. However there is no direct mechanism for the Perl script to pass return values back so they are stored in a file which the Perl code parses. FIG. 9 shows an alternative to the user of parameter passing between Perl code (that is the native applications running on the IVR platform) and Perl scripts on the server. The Perl code uses the VTCPD process to communicate with the external host. VTCPD is a Periphonics process that integrates with the rest of its environment and allows TCP/IP socket communication. However it does not directly support http protocols and requires extra header information to direct messages to the different applications running on the IVR.

[0069] As a further security measure, the speech recognition system may store a voiceprint of the user and compare that with the speech data. This voiceprint may be trained by the initial inputs of the user on the first few occasions that the user accesses the service. If subsequently the received speech data diverges significantly from the expected voiceprint, then the may request additional verification from the user, or may refuse access to the service.

[0070] The invention is by no means limited to implementations in which speech input is received via a conventional telephony network. For example, in an alternative implementation a customer uses a common terminal 3 for both text and speech input. The speech is transmitted in VoIP (voice over Internet Protocol) format.

[0071] For applications requiring the highest levels of security it is desirable to address the risk of the security code being intercepted in transmission from the user to the application that verifies the security code. In this case, the verification application may be run, locally at the customer terminal. The application in this case may be implemented using VXML (Voice eXtended Mark-up Language). 

1. A method of assigning an identification code from a finite grammar defining all possible identification codes, the method comprising the steps: a) selecting a word from each of a plurality of predetermined sets of words according to identification data relating to a user; b) concatenating said words to form a sequence for use as the identification code; and c) storing a record of the sequence and of the identity of the user associated with said identification code.
 2. A method according to claim 1 in which the selecting step a) comprises sub steps of d) receiving from a user, identification data comprising a number of attributes, each attribute corresponding to one of said predetermined sets; e) selecting for each user attribute, a word from the associated predetermined set which is related to the supplied user attribute.
 3. A method according to claim 2 in which the selecting sub step e) comprises selecting a word which is equal to the supplied user attribute if the supplied user attribute is a member of the associated predetermined set, otherwise selecting a word from the associated predetermined set which is related to the spelling of the supplied user attribute.
 4. A method according to claim 1, in which the selection of words at step a) is determined both by the user identification data and by a parameter dependent on the number of enrolled users having the same user identification data.
 5. A method according to any one of the preceding claims, in which one of the predetermined sets of words comprises personal names, the method including receiving from a user the user's name comparing the user's name with the set of personal names, when the users name is included in the set of personal names, assigning to the user an identification code including the user's name, or otherwise assigning to the user an identification code including a different word in place of the user's name.
 6. A method according to claim 1 wherein the finite grammar includes a separator word between a first predetermined set of words and a second predetermined set of words.
 7. A method according to claim 6, in which the set of possible separator tokens has a single member only.
 8. A method according to claim 1, wherein the finite grammar includes a phrase associated with one of said predetermined sets of words and in which the phrase distinguishes between homonyms in said one set of predetermined words.
 9. A method according to claim 8, in which the said phrase is a number.
 10. A method of operating a customer service, including at receiving from a user a user identification code, verifying the user identification code, and executing a transaction with the user characterised in that the identification code comprises an identification code assigned by a method according to any one of the preceding claims.
 11. A method according to claim 10, in which the step of receiving from the user the user identification code includes receiving a spoken identification code at a speech recognition device pre-programmed with a recognition grammar comprising the said sets of natural language words.
 12. A method according to claim 10 or 11, the method including receiving some identification codes and executing some transactions via a text interface, and receiving other identification codes and executing other transactions via a speech interface. 